Posted
by
Soulskill
on Thursday March 01, 2012 @12:20PM
from the a-bit-more-serious-than-an-iphone-prototype dept.

astroengine writes "NASA had 5,408 computer security lapses in 2010 and 2011, including the March 2011 loss of a laptop computer that contained algorithms used to command and control the International Space Station, the agency's inspector general told Congress Wednesday. According to his statement (PDF), 'These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.'"

Yes, one of these days our fearless mods will learn not to meddle. Me, I remember a day when things were different -- and it would be so nice if we could let there be more light humor and, well, free-for-all (when you're in the mood, anyway), and have fewer people burning bridges wherever they go. I'm just biding my time until then.

I would say that losing the source code to some of the embedded control systems in the ISS is just about the LEAST valuable theft of source code, ever. That code is most likely extremely specialized, designed JUST for whatever system on the ISS in question, and probably had millions of dollars put into refining, optimizing, and debugging it. I bet the code is completely unsuitable for any other purpose for that reason (one way to reduce bugs is to make the code as specific as possible in a low level language).

And, whatever system we are talking about : ventilation, communications, power, water recycling : you can safely bet that the way NASA designed it is TOTALLY unsuitable for commercial use. It probably uses the most expensive possible parts, made by hand, for crucial components of the systems.

I believe you're missing the "evil supervillain holding the world for ransom by manipulating bugs" part. In 5,408 security breaches, surely someone found the password? And has a target in mind that they'd like to drop a space station on?

I doubt the space station has sufficient propulsion to actually de-orbit. Plus, it de-orbits on its own anyway due to drag - it needs re-boosts to keep it up there, from spacecraft.

You probably could put it into a spin and burn up all the propellant, making it almost impossible to recover. Maybe you could even get it to fly apart that way. However, a controlled de-orbit is likely not possible except over the course of years.

The simpler and more 'primative' the better. And it's codes; not source code.

So what I'd do is the most 'primative' and effective thing there is; unhook the reciever from any actuators and unhook the neutral stuff, attached to actuators (except transmittors), from any actuators too.

Let some gifted minds go at a interim system for a week and send a technician with the interim device to the ISS. After that only the most basic stuff should be handled for interim survival of the station and the crew.

I would say that losing the source code to some of the embedded control systems in the ISS is just about the LEAST valuable theft of source code, ever.

Reuse of the code is probably not what they're worried about. Give any sufficiently large amount of code to a group of skilled hackers and they are very likely to find a few exploitable bugs. It's just a matter of playing against the odds in the long run. They may discover a few buffer overflows in obscure places, and after a lot of research, find a way to turn one of them into a privilege escalation via a very complex sequence of steps. And further find a way to abuse that, all the way up to something genuinely dangerous remotely. Systems of this complexity and review typically are only compromised by using a combination of different bugs to "chain" in from the front door to the kernel, and starts with a deep knowledge of the system, and that's exactly what they have now.

Anyone that thinks any large, complex chunk of code is 100% bug-free is delusional. There was a story here on/. recently about a kernel escalation bug that had been committed for years without anyone noticing it, despite all the kernel hackers and that "many eyes make for shallow bugs" theory. Look at all the review that code had over the years.

This is why you decentralize and compartmentalize. The life support doesn't talk to the food dispenser. The boosters responsible for orbital adjustments don't talk to the communications array. Likewise, the solar panel controls are separated, even from each other. Communication happens via a human. Validation that the communication was properly passed on can happen using a passive third system that only accepts input and does not send output.

The life support doesn't talk to the food dispenser. The boosters responsible for orbital adjustments don't talk to the communications array. Likewise, the solar panel controls are separated, even from each other. Communication happens via a human.

The catch is, what happens if the astronauts become incapacitated or are forced to abandon the station without flipping a switch to put the station on to remote ground control? More than likely, there is a way for the station on the ground to remotely broadcast commands to control the crucial systems on the station. (the power systems and all of the rocket engines, as well as perhaps cooling and life support)

That depends. There are a number of things you can do with it, as highlighted by others earlier. Probably even more useful than controlling a satellite.

Had I access to the thing, and were I in a particularly dark mood (complete with super villain costume), I'd try to calculate some re-entry trajectories that would put the thing somewhere where people would care, with a quiet fax to NASA asking for more "ammunition."

I mean, it would probably take a super-computer to calculate the re-entry to the point where

YOu see, hackers could get a hold of that code and design a worm and virus around it. Then, by uplinking to a satellite and hacking into the ISS' control systems from that, they could implant the virus and take over the ISS. Then from there, they order the ISS to fire its thrusters and crash into the Whitehouse. BUT, it will be stopped because Chris Pine, after getting his ass kicked by oen of the Russian astronauts, will get up there and stop it with some clever out witting of the astronauts.

I would say that losing the source code to some of the embedded control systems in the ISS is just about the LEAST valuable theft of source code, ever. That code is most likely extremely specialized, designed JUST for whatever system on the ISS in question, and probably had millions of dollars put into refining, optimizing, and debugging it. I bet the code is completely unsuitable for any other purpose for that reason (one way to reduce bugs is to make the code as specific as possible in a low level languag

This doesn't sound like much of an actual threat. If you can't physically access the machine, what good does having its "algorithms" do you ? What, is Elon Musk going to carry this up to the ISS on the Dragon and take over the air handling system ?

It could mean the Command and Control authentication for remote administration of the station. I'm sure there are SATCOM pirates who would love to screw with the attitude controls of something like the space station.

This laptop I bought on craigslist with the JPL asset tag and wallpaper is starting to look interesting.
What is this "Plumbing Subroutines" folder? And why does ZoneAlarm have it allowed to connect to ISS.nasa.gov?Whoops... [space.com]

What if space aliens stole it as part of their nefarious plot of taking it over and killing us all? Just a thought. Too bad nuclear bombs are banned in space or we could just nuke it in orbit. You know, just to be sure.

I believe to aliens that got here all the way from the blahtopian galaxy, the ISS looks like an expensive space dumpster with technology so 1000 years ago... I would not worry about them:)... If they did anything to the ISS control code, they would probably improve it and maybe we could use the station to finally go to mars - with all due respect to Nasa engineers, which after all have built a huge house in freaking space.... the only thing I launch into space is ugly farts... to be fair, people need space

Just like how they targeted the US's nuclear weapons research programs for the previous couple decades, they are now targeting NASA and aerospace contractors as they build up their own space program. Hell, this theft probably just gave them a good head start on the control systems for their own private space station.

Realistically, like managers of the big banks, the NASA employee in charge of the laptop will go unpunished.

Using Citrix or VMware or Microsoft or other kvm solutions aren't as secure as you might think. Yes, their transports can be pretty tough to crack, but that's after the initial authentication process, which still has those messy humans involved.

One of those messy humans, irresponsible, allowed the machine to be lost. This particular human ought to be waiting without bond on Rikers Island, awaiting arr

All I can say is, big deal. So what, they lost a few laptops. The laptops were most likely encrypted - seriously, every govenrment agency and contractor for years has been encrypting laptops. Even if they used a weak encryption scheme, when the thief realized they were encrypted, he probably just formatted the harddrive, installed a bootlegged OS, and sold it on ebay. I think the bigger issue is here that NASA needs to teach their employees to take better care of their laptops - this probably cost NASA a wh